HD Moore released one today that returns a Local System shell on port 4444. I've run it in the lab and, as expected of all HD code, works consistantly. g On Fri, 25 Jul 2003 15:56:57 -0400 "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net> wrote:

George-

Which exploit are you referring to? There are several floating around. Many of them are misrepresented as MS03-026 exploits. There was another vulnerability disclosed that only causes a DoS condition--no remote compromise.

Regards, =============================== Daniel Ingevaldson Engineering Manager, X-Force R&D dsi@iss.net 404-236-3160

Internet Security Systems, Inc. The Power to Protect http://www.iss.net ===============================

-----Original Message----- From: George Bakos [mailto:gbakos@ists.dartmouth.edu] Sent: Friday, July 25, 2003 3:47 PM Cc: jtk@depaul.edu; nanog@merit.edu Subject: Windows DCOM exploit (was Re: What you don't want to hear from a peer)

On Fri, 25 Jul 2003 14:29:13 -0500 John Kristoff <jtk@depaul.edu> wrote:

...

Maybe it'll help start the weekend with a smile.

Smile for now; it probably won't last. The Windows DCOM exploit that was released today, works perfectly. BTW, how many residential networks (worm fodder) really need port 135/tcp open, anyway?

And I thought I would have time to split some cordwood today. Rats.

George Bakos Institute for Security Technology Studies - IRIA Dartmouth College gbakos@ists.dartmouth.edu 603.646.0665 -voice 603.646.0666 -fax